限制App Engine访问自定义域上的G Suite帐户 [英] Restrict App Engine access to G Suite accounts on custom domain
问题描述
前一段时间Google Apps(现在称为G Suite)域的App Engine相关设置已移至Google Cloud Console。
截至现在,有文档说明的方式可以通过此Google云端控制台页面限制对相关G Suite用户访问App Engine实例的权限:
当您点击该页面的时,在Google身份验证下,您可以在Google帐户API和Google Apps域名(实际上应该称为G Suite域名)。
下拉框下方有一个输入框,但没有解释应该在那里输入什么内容。通过反复试验,我发现它应该是关联的G Suite的域名。
在部署到App Engine的最小Hello World应用程序中,我们将身份验证选项设置为:
登录名:required
请注意,我们的应用程序的一些服务是用Python编写的,而其他服务则是用Java编写的。
通过访问App引擎实例[project-id] .appspot.com主机名工作正常,Google会在相关G Suite中提示输入凭据,并通过身份验证过程适当重定向到目标路径名。
问题在于,通过自定义域访问App Engine实例时,身份验证完全不起作用。这将显示一个500,服务器日志为:
Google Apps域example.com的身份验证只能在请求来自该域的子域,或者已通过Google Apps控制台获得批准。请参阅 https://developers.google.com/appengine/articles/auth
该错误消息中的链接页面不再存在,即它已被替换为描述身份验证的页面。从在线缓存中提取旧页面,我可以看到它描述了将App Engine项目添加到Google Apps服务页面的旧Google Apps方式,但截至目前,此功能已被删除或迁移到Google Cloud Console。 / b>
对于它的价值,Google支持无法提供任何帮助,除了指向上面截图页面的文档外。
有没有人设法限制App Engine通过自定义域名访问G Suite帐户?或者是这个功能刚刚坏了?
特别是我正在寻找可以解决这个问题的答案,这些答案可以在Python和/或Java GAE应用程序的环境中解决,如果需要,可以通过编程的方式解决此问题。
看起来这是Google Apps域身份验证的一个已知问题,如果您在将域名添加到控制台的自定义域名部分后启用Google Apps域身份验证,则无法使用。
解决方法是从自定义域中删除自定义域映射,然后在为域启用Google Apps域身份验证后重新添加它。文档页面使用自定义域和SSL a>会更新以反映这一点。
A while ago App Engine-related settings for Google Apps (which is now called G Suite) domains, have been moved to the Google Cloud Console.
As of now, the documented way to restrict access to an App Engine instance to users of the associated G Suite is through this Google Cloud Console page:
When you click on [Edit] in that page, under "Google authentication" you can switch between "Google Accounts API" and "Google Apps domain" (which should actually be called "G Suite domain").
There is an input box below that dropdown, but no explanation what should be input there. Through trial-and-error I have found that it's supposed to be the domain name of the associated G Suite.
In a minimal Hello World app deployed to App Engine, we set the authentication option to:
login: required
Please note that some services of our app are written in Python, others in Java.
Accessing the App engine instance through the [project-id].appspot.com hostname works just fine, Google will prompt for credentials on the associated G Suite, and redirect appropriately through the authentication process to the target pathname.
The problem is that authentication does not work, at all, when accessing the App Engine instance through a custom domain. This will show a 500, and the server log reads:
Authentication for the Google Apps domain example.com can only be performed when requests are served from a subdomain of that domain or it has been approved through the Google Apps Control Panel. See https://developers.google.com/appengine/articles/auth
The linked page in that error message does not exist anymore, i.e. it has been replaced with a page that describes authentication in general. Lifting that old page from online caches, I can see that it described the old Google Apps way of adding the App Engine project to the Google Apps services page, but as of now this functionality has been removed, or migrated to Google Cloud Console.
For what it's worth, Google support could not offer any assistance beyond pointing me at documentation of the screenshoted pages above.
Is there anyone here who managed to restrict App Engine access to G Suite accounts through a custom domain? Or is this feature just broken?
In particular I'm looking for answers that solve this in the context of Python and/or Java GAE apps, and for code that demonstrate how to solve this programmatically if needed.
It appears this is a known issue with Google Apps Domain authentication, where the authentication does not work if you enable Google Apps Domain authentication after the domain is added to the 'Custom domains' section of the console.
The workaround is to remove the custom domain mapping from 'Custom domains', and then re-add it after enabling Google Apps Domain authentication for the domain. The documentation page Using Custom Domains and SSL will be updated to reflect this.
这篇关于限制App Engine访问自定义域上的G Suite帐户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
